Hi,
I have setup Google OAuth2 login on a PHP project, which is working well.
The app uses Docker for development and on production.
Earlier I was using regular Wappler security provider, where user would not get logged out when I did newer deployments.
With OAuth2, I have setup a security login with DB Security Provider and have set “remember me” to 1, but with every new deployment, I get logged out.
How to prevent that? Please help.
Bump.
Your login is stored in a session, that is being lost after a server restart. The remember me from the security provider logs you in again using the cookie, the oauth however doesn’t have that. You have to store the retrieved tokens yourself in a database for example if you want them to persist after a server restart.
Ok. And how do I reuse the tokens?
I have a very bad experience with OAuth2 - something always goes wrong - so not very confident working with it.
hi @sid,
As @patrick mentioned, save the required token and you will create a new token with this token. I remember providing google refresh token api for this.
Thanks. I have such a configuration in my other app, where I use OAuth2 for calendar.
But for login, I don’t see how this will work.
When a user comes back to the website, how would I know which user’s refresh token to use to log them again?
Each user who logs in will have a different refresh token generated and stored in DB.
I need the system to not logout the user. Can you please explain?
When the user logs in, information about the user will be returned to you, including google username , name , token etc. There is information. After the user has successfully logged in (with auth2), you will update or renew the token information by finding the relevant user in your own database using the information returned.
However, in order to achieve the exact result you want to achieve, you will also need to make the login process on the server side using the wappler security provider. (i.e. find the user with the information returned from google auth2, use the required username and password and enable them to login in the background again)
I don’t think you are getting my point.
I already have the Wappler security provider setup with remember me = 1.
Once a user has been logged out, how do I identify which user was logged out on the particular browser to re-login them directly via OAuth2? OR even with just the Wappler security provider?
don’t know that. so I don’t think there is a simple way to do this with Oauth2.
To overcome this problem;
If the user is registered with Oauth2, I had to login with Oauth2 only. In this way, the remember me feature worked. (I followed the way I mentioned above for remember me for all users logged in with oauth2 )
So how do you use security restrict in that case?
If the user has chosen Oauth2 as the registration method while registering;
I create the user in my database with the information returned from Oauth2. . Because Oauth2 provides me with all the necessary information for user registration. I can also provide security with wappler.
and
When the user wants to login;
I am searching the database for the username returned from Oauth2 and looking at which method it is registered with.
If it is Oauth2, it redirects to the relevant google page and google asks the user for the password, then the token is created. If the token is created successfully, I send the username and password again to enable the server to re-login with the security provider. In this way, I can ensure security with Wappler.
If you find a simpler way, I would like you to share it.
This is all good. I don’t have the check that you have. Its a Google only login setup.
The question here is, does your OAuth2 user get logged out when you do a new deployment. And is it a PHP app?
No, because that’s how I was able to use the refresh token.
it is php app .
I hope I was able to provide you with ideas for your solution.
I don’t understand why the refresh token would even play a role here.
The user is logged in using security provider… OAuth is just part of authentication flow in this case since we both are using Wappler’s security provider to actually say that user is logged in or not.
@patrick Please help. What do I do with token so that user is not logged out of Wappler security provider?
Hi Sid, did you find a solution for this by any chance?
No I did not.
User still gets logged out after deployment, if they were logged in via OAuth2.